General
-
Target
Tax Invoice.xlsm
-
Size
42KB
-
Sample
221117-mclsbaeb56
-
MD5
241d9fbb42762beb00492d32d5e9d291
-
SHA1
e6f1f8bbc40a59911543be499e1e07b54d55c3f4
-
SHA256
e7df88b691f820535f249821d16054a01f33e0acf3ae12d0b64f98cced910012
-
SHA512
a503b4e51bb09fa2e5c1b2a546cbf0c562200e77e67f2f81757f0b6f5460cc38e33d0ea871b7f7c1d92ed82ac3ca756a37e08a5e633077a560c9627516ea9aef
-
SSDEEP
768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7/:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
Static task
static1
Behavioral task
behavioral1
Sample
Tax Invoice.xlsm
Resource
win7-20221111-en
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Tax Invoice.xlsm
-
Size
42KB
-
MD5
241d9fbb42762beb00492d32d5e9d291
-
SHA1
e6f1f8bbc40a59911543be499e1e07b54d55c3f4
-
SHA256
e7df88b691f820535f249821d16054a01f33e0acf3ae12d0b64f98cced910012
-
SHA512
a503b4e51bb09fa2e5c1b2a546cbf0c562200e77e67f2f81757f0b6f5460cc38e33d0ea871b7f7c1d92ed82ac3ca756a37e08a5e633077a560c9627516ea9aef
-
SSDEEP
768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7/:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-